selinux context

The first field is the selinux user. Users can be listed with semanage and by default users are mapped to unconfined_u. The second field is the role, the third field is the type of file.

In this blog, we are interested in the fourth field, s0. This field is used by the selinux MLS policy and is optional in targeted policy (the default for fedora). MLS policy is currently “experimental“. MLS would give up to 10 security levels, s0-s9.

MCS, however, is supported in targeted policy. The targeted policy uses a single MLS, s0, but allows up to 1024 “categories“, c0-c1023.

To use MCS, the system administrator would map users to a selinux user (such as user_u or staff_u) and assign the range of MCS categories the user can access. Users can then assign categories to files using the chcat command.

Using Multi-Category Security (MCS)

Configure categories

Note: this step is optional, you can use MCS categories by number, without defining them in setrans.conf . If you define them in setrans.conf you can then use a category by name.

As root, edit /etc/selinux/targeted/setrans.conf

sudo vim /etc/selinux/targeted/setrans.conf

Add categories at the bottom

s0:c1=secret

s0:c2=4youreyesonly

Save your changes and restart mcstrans

sudo systemctl restart mcstrans.service

List your categories. Note this command does not need to be run as root.